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[57] ABSTRACT 

An intelligent removable information storage device (100), 
^for couplmg'to^hlTsrmicTOComputer systerTT(10)rindudes 

aiocal-processor unit( 106) including apparatus for prevent- 
ting the mkrpcom putgr system from reading fromr oFwming 
^ontarstorage_dey^ 

spass word-by a user of-the host rnicrocornputer system: (The 
^orage^eyice^also^includes_a storage medjum~(e.g M a 
magnetic disk) forjtc^n^informalion includih^^feasnme 
tpassword^Thc local processor unit includes agpanps for 
^preventing-access -to-the -information stored-in the storage- 
"^i^ans^abscnt receipt of a valid^assword. ~ - - - - ^ 

10 Claims, 5 Drawing Sheets 
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REMOVABLE COMPUTER SECURITY 
DEVICE 

This is a continuation of application Scr. No. 08/397,017, 
filed Mar. 1, 1995, now abandoned which is a continuation 
of application Ser. No. 08/043,425, filed on Apr. 6, 1993, 
now abandoned. 

BACKGROUND OF THE INVENTION 

This invention relates generally to removable peripheral 
devices for microcomputers, and more specifically to 
removable device security removable peripheral devices for 
personal computers. 

Personal computer systems in general and IBM personal 
computers in particular have attained widespread use for 
providing computer power to many segments of today's 
modern society. Personal computer systems can usually be 
defined as a desk top, floor standing, or portable microcom- 
puters that consist of a system unit having a single system 
processor and associated volatile and non- volatile memory, 
a display monitor, a keyboard, one or more diskette drives, 
a fixed disk storage, and an optional printer. One of the 
distinguishing characteristics of these systems is the use of 
a motherboard, or system planar, to electrically connect 
these components together. These systems are designed 
primarily to give independent computing capability to a 
single user and are inexpensively priced for purchase by 
individuals or small businesses. Examples of such personal 
computer systems are IBM's PERSONAL COMPUTER XT 
and AT and IBM's PERSONAL SYSTEM/2 Models 25, 30, 
35, 40, 50, 55, 56, 57, 60, 65, 70, 80, 90, and 95. 

These systems can be classified into two general families. 
The first family, usually referred to as Family I Models, use 
a bus architecture exemplified by the IBM PERSONAL 
COMPUTER AT (AT is a trademark of the IBM corporation) 
and other "IBM compatible" machines. The second family, 
referred to as Family II Models, use IBM's MICRO CHAN- 
NEL bus architecture exemplified by IBM's PERSONAL 
SYSTEM/2 Models 50 through 95. Certain Family I and 
most Family II models typically use the high speed INTEL 
80386, and 80486 microprocessors. 

Such personal computers are characterized as having an 
"open" architecture. That is, the systems are designed and 
constructed in such a way that additional peripheral devices, 
such as removable media direct access storage devices (or 
DASD) that may be selected and added to the systems, or an 
existing device that may be changed for a device of a 
different type. The floppy disk drives mentioned above are 
one example of a removable media DASD. 

Family II machines may have DASD using 3.5 inch 
diskettes to store 720 kilobytes or 1 .44 megabytes or 2.88 
megabytes of data. It is known and contemplated that other 
removable media DASD may be provided and may be used 
in or with personal computers of the general types described. 

One such information storage device is the so-called 
personal computer card (or simply, pc card) made in accor- 
dance with the standard established by the Personal Com- 
puter Memory Card International Association (PCMCIA). 
All pc cards have the footprint of a credit card. These pc 
cards may be classified under two general categories: 
memory cards and input/output (I/O) cards. Memory cards 
were the first generation of cards specified by Release 1 .0 of 
the PCMCIA standard. These cards are file-formatted and 
are used in substantially the same way as memory diskettes. 
I/O cards are specified in Release 2.0 of the standard. These 
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types of cards include modems, local area networks (LANs), 
image cards, hard disk drives, faxes, and docking stations. 
There are three physical sizes for these cards. All three types 
are 54.0 mm in length, and 54.0 mm in width. Type I are 3.3 

5 mm in thickness; Type II are 5.0 mm; and Type III, 10.5 mm. 
The PCMCIA standard is becoming widely used for con- 
necting peripheral devices to portable and notebook personal 
computers and may be used for other types of pes. 
Protection from unauthorized users may be required in 

10 cases where confidential or classified information is handled 
by automated information systems, such as personal com- 
puter systems. The need for security becomes acute in 
systems using small removable information storage devices, 
such as pc cards, because of their value. There are two 

15 sources of value in these storage devices: (1) the intrinsic 
value of the device itself (DASD can represent up to 
one-third the value of the hardware cost of the system); and 
(2) the data contained in the device may itself be more 
valuable than the device. Previously, small removable 

20 memory devices (e.g., diskettes and CD ROMs) typically 
used physical means of security such a write-prevent tabs or 
switches and locks. Moreover, access to a computer system 
may require the use of a password. However, in the cases of 
small removable storage devices these security measures 

25 may be inadequate because of the attractiveness for theft of 
these devices. A thief of a small removable device could 
have read the information in the medium in a system not 
requiring a password and could also re-use the storage 
device itself. Additionally, in prior systems a password 

30 string was transferred to the host computer to enable pass- 
word protection in a blind "set password function.'* Consider 
a device that does not have password protection enabled. It 
may have never been enabled, or the operator may have 
disabled it via the proper input of the required password(s). 

35 A malicious user or a virus software program could create 
and enable a new password without the permission of a 
legitimate operator, the drive becomes password protected 
and unusable, even to a legitimate user. This can be a 
problem where the user did not intend the system to be 

40 password protected. Thus, a need exists for better security 
measures. 

SUMMARY OF THE INVENTION 

45 Briefly, in accordance with the invention, a removable 
information storage device includes meai^foirpreventing 
Qthe-computer- sy stem froni rea^ the 
tjjrage ^device absent the entry- of-a seje^te^passwbl^^b^a) 
tus er'of the~host!:o rnputer system^J 

50 

BRIEF DESCRIPTION OF THE DRAWING(S) 

FIG. 1 is a perspective view of a personal computer 
system embodying this invention; 
55 FIG. 2 is a block diagram of certain components of the 
personal computer of FIG. 1; 

FIG. 3 is a block diagram of an intelligent removable 
information storage device in accordance with the invention. 

60 DESCRIPTION OF THE ILLUSTRATIVE 

EMBODIMENT^) 

Referring to FIG. 1, a microcomputer system 10, embody- 
ing the present invention is shown and generally indicated. 
65 The computer system 10 includes a monitor 12 and a 
keyboard 13. The computer system 10 also includes remov- 
able media direct acccss t slorage"devices (DASDs) which are 
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preferably a floppy disk drive 15 and a slot 14 for a personal 
computer card (or, simply, a pc card). The pc card is 
preferably one complying with the PCMCIA standard. In 
accordance with the. invention, removable DASDs having 
processor mea^wcoild.kclude a passwo rd sec urity feature-, : 
^afwould prevent the unauthorized acc^sTtb~tfie~infornia^ 
tion-stored4n-these£de yices and the use of the devices 
"themselves. ~~ ~~ / 

Referring to FIG. 2, there is shown a block diagram of a 
personal computer system illustrating the various compo- 
nents of the computer unit 11 of FIG. 1. The computer 10 
includes a motherboard (or planar) having components 
mounted thereon. Also connected to the planar is the system 
processor 32, -which comprises a microprocessor, connected 
by a high speed central processing unit (CPU) local bus 34, 
through a bus^confroIjMng-unit~35,<t^^ 
/uniT36^ Wjhich is fijirther^connected to^T^latile~landom 
access~memory (RAM) 38. While any appropriate micro- 
processor can be used, one suitable microprocessor is the 
80486 which is sold by Intel Corp. 

The CPU local bus 34 (comprising data, address and 
control components) provides for the connection of the 
microprocessor 32, a math coprocessor 39, a cache control- 
ler 40, and a cache memory 41. Also coupled on the CPU 
local bus 34 is a buffer 42. The buffer 42 is itself connected 25 
to a slower speed (compared to the CPU local bus) system 
bus 44, also comprising address, data and control compo- 
nents. The system bus 44 extends between the buffer 42 and 
a further buffer (or latch/buffer) 68. The system bus 44 is 
further connected to the bus control timing unit 35 and a 
direct memory access (DMA) unit 48. The DMA unit 48 
comprises a central arbitration unit 49 and DMA controller 
50. A buffer 51 provides an interface between the system bus 
44 and an optional feature bus such as the MICRO CHAN- 
NEL bus 52. Connected to the bus 52 are a plurality of I/O 
slots 54 for receiving MICRO CHANNEL adapter cards 
which may be further connected to an I/O device or memory. 

An arbitration control bus 55 couples the DMA controller 
50 and central arbitration unit 49 to the I/O slots 54 and a 
diskette adapter 56. Also connected to the system bus 44 is 
the memory control unit 36 which comprises a memory 
controller 59, an address multiplexor 60 ! _ and a da ta buffer 
61. Th&mein^-cwurol!^^ 

row address and coTSrm^dresTstrobes (i.e., RAS and CAS 
deccwie). TlielnTmc^^^tr^^^ 

a random access memory.^ as represented - by the RAM 
module 38.*The-memory controller jj^clu des the lo gic-for 
mapping addresses to and from the microprocessor 32 to 
particular areas of RAM 38. This logic is used to reclaim 
RAM previously occupied by the basic input/output system 
(BIO S).„Fu rjher generated by^memory-controller_344s'^ :; 
^ROMlseleigsl^ai^ 

disable^ROM~64l^ — ^ 

While the microcomputer unit 10 is shown with a basic 1 55 
megabyte RAM module, it is understood that additional 
memory can be interconnected as represented by the 
optional memory modules 65 through 67. For purposes of 
illustration only, the present invention is described with 
reference to the basic one megabyte memory module 38. $o 

A latch buffer 68 is coupled between the system bus 44 
and a planar I/O bus 69. The planar I/O bus 69 includes 
address, data, and control components respectively. Coupled 
along the planar I/O bus 69 are a variety of I/O adapters and 
other components such as the display adapter 70 (which is 65 
used to drive the monitor 11), a CMOS clock 72, nonvolatile 
CMOS RAM 74 (hereinafter referred to as NVRAM), a 
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35 



40 



45 



50 



RS232 adapter 76, a parallel adapter 78, a plurality of timers 
80, the diskette adapter (or controller) 56, an interrupt 
controller 84, and the read only memory (ROM) 64. The 
ROM 64 includes the BIOS (basic input/output system) that 
is used to interface between the I/O devices and the oper- 
ating system of the microprocessor 32. BIOS stored in ROM 
64 can be copied into RAM 38 to decrease the execution 
time of BIOS, ROM 64 is further responsive (via ROMSEL 
signal) to memory controller 36. If ROM 64 is enabled by 
memory controller 36, BIOS is executed out of ROM. If 
ROM 64 is disabled by memory controller 36, ROM is not 
responsive to address enquiries from the microprocessor 32 
(i.e. BIOS is executed out of RAM). 

The planar I/O bus 69, as described hereinafter, includes 
portions defined by conductive pathways formed in interior 
layers of the multilayer planar, and particularly includes a 
number of such pathways in a portion extending adjacent an 
edge of the planar which is positioned to extend adjacent one 
of the front and rear panels of the chassis. Such design of the 
planar makes possible the location of a number of I/O 
connectors along such a side edge for exchange of signals 
with such devices as the monitor, keyboard and printer. 

The clock 72 is used for lime of day calculations and the 
NVRAM is used to store system configuration data. That is, 
the NVRAM 74 will contain values which describe the 
present configuration of the system. For example, NVRAM 
74 contains information describing the capacity of a fixed 
disk or diskette, the type of display, the amount of memory, 
time, date, etc. Of particular importance NVRAM 74 will 
contain data (which can be one bit) which is used by 
memory controller 36 to determine whether BIOS is run out 
of ROM or RAM and whether to reclaim RAM intended to 
be used by BIOS RAM. Furthermore, these data are stored 
in NVRAM whenever a special configuration program, such 
as SET Configuration, is executed. The purpose of the SET 
Configuration program is to store values characterizing the 
configuration of the system to NVRAM. 

A PCMCIA interface 86 is coupled to the bus 69 for 
providing an interface and driver for pc cards (in accordance 
with the PCMCIA standard that may be coupled to the 
computer system 10 via port 14). 

Referring to FIG.3, there is shown a simplified block 
diagram of an intelligent removable information storage 
device 100 in accordance with the invention. The device 100 
comprises a storage medium (or media) 102 for storing 
information. This storage medium can take the form of an IC 
memory or a magnetic disk. The device 100 also includes a 
media control logic circuit 102, and a local processor 106. 

<ThusrJLhe:deyicerlOO;is:anlHntdligent-storage devicerThis^ 

tinteUi gejice:ehable^slorag^^ 
word-securityjeature atj he:fevic gj^r 

-aUhe^evicejlo^pro 
pass word^curity jrrih^^ 
used:m^air^ccln^^ 

(pasWordrfThe local processor cari~be~~any suitable micro- 
processor (e.g., a 68HC1 1 manufactured by Motorola, Inc.). 
A control memory ROM 108, containing instructions for the 
local processor, and a data memory RAM 110, containing 
data for microprocessor operation, are coupled to the pro- 
cessor 106. 

^Anjnjejfacecomrol ^ 
the:devicerl00;ima\ai]^u^ 
11^ shown in FIGS. 1 and 2). 'Coupled-tOTthe^ 
is^a=buffer::114-whictf^ 
controller 112. A reaoVwriS-chimnel-lm^ 
stprage;media:102:and r td^the-locaLp^ 
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thejampulsesfi^ 

usable information. This unit 116 can take theTomfof a fieacf 
amplifier in the case where tf^torag^ 
^tay e-or^ y qther^ 

Fiash^ECTROM. 

A media control ASIC (application-specific integrated 
circuit) is used to control the storage media 102. In the case 
where the storage media 102 is a disk drive, block 104 would 
take the form of a control for a spindle motor. In the case 
where storage media 102 is an IC memory (e.g., Flash 
EEPROM), block 104 would take the form of a format 
reader and could also perform bit parity checks. Along with 
read/write channel unit 116, the media control logic 104 
translates physical media characteristics into logic levels 
(i.e., it converts magnetic flux changes into a bit stream). 

In a preferred embodiment the device 100 is a pc card in 
accordance with the PCMCIA standard. More specifically, a 
PCMCIA-ATA card is defined. ATA represents AT-attach- 
able, wherein AT is a trademark of International Business 
Machines Corporation. PCMCIA devices (other than simple 
memory cards) communicate with a host computer system 
via a high level set of commands. For PCMCIA-ATA files, 
these commands are similar to those employed by more 
traditional fixed disks. In accordance with the invention, a 
new ATA and PCMCIA-ATA compatible command called 
"Password" is defined. For storage devices, the invention is 
preferably implemented within the file specific command 
structure in order to maintain compatibility across systems, 
whether they contain removable files or not. The Password 
command takes three forms: (1) Password-Enable; (2) Pass- 
word-Send; and (3) Password-Disable. 

Operationally, the owner of a pc card (e.g., card 100) 
would insert the pc card 100 into the port 14 in the computer 
10 (shown in FIG. 1) to use the card 100. If the pc card is 
not previously in a password protected mode and the owner 
wishes to make the card 100 password protected, he or she 
would enter a valid password into the computer unit 10 
along with a Password-Enable command. The computer unit 
10 would then transfer the password string to the card 100 
thus enabling a protection mode in the device 100. This 
password need not match any previous password, and it does 
not operate if password protection is already active.^TbL^ 
<f^vent r u^^^ 
rcquir^.that..tp^ 
PjKswjogisjjfjr^ 
in-me; jame-atomic r ( he^ 
change^n^ 
as^cuof:the^pasiword^ 
users -(i\e^^o^e-who-do- not .to^ 
modj^jng^passwords-or-te^ 

Exposure also exists from the time~of "deli very to the 
customer until the user enables and sets a password for the 
first time (i.e, if the user has not yet, or never intends to use 
the^pass word ^protection features of^ the in ventiqn) r IMier^ 
card*100^sTinj^ 
th^ecurity a jgafureiwi 

that o wner wpuj^sufferajtoe^ the 
prior^art^dg^^ a 
default passwora^an-be^ 60 
cprotect^^for~the~firs^ 
passwordnoUhc change instruction?? 1 " 

When a user^terslr^Password-Selio^mmand into the 
computer 10 it transfers the password string to the device 
100. The device 100 compares this string with its recorded 65 
string (if password protection been previously invoked) and 
enables normal operation if the password is valid. This 
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command also sets an error condition if the password is not 
valid (and password protection has been previously 
invoked). It does not compare passwords if password secu- 
rity is not enabled. The device 100 will function normally 
until a reset (soft or hard) is generated. After a reset, this 
command must be issued again. 

When the user wishes to disable the password security 
feature, he or she enters a Password- Disable into the com- 
puter 10, the computer 10 transfers the password string to 
the device 100. If the password is valid, password protection 
is disabled. The password is write only from the system 10 
to the file 100. 

There are two classes of passwords: (1) Write protection 
(read-only); and (2) Read/Write protection. In the case of 
write protection passwords, the device 100 is fully opera- 
tional, with the exception that any write or formal operations 
are disabled. In the read/write protection mode, the device 
100 is rendered useless to those without knowledge of the 
password. Theft of the device would not allow the rightful 
owner to use the device 100, but the thief is both unable to 
use the device and to access the data contained therein. The 
"identify drive" command remains operable so that it may 
be used to indicate whether password protection is active. 

To indicate that card 100 is password protected, a unique 
string of characters is returned from the card 100 to the 
computer 10 (within the ID DRIVE information block). This 
provides a standard method for the computer system 10 to 
determine whether it must supply a password (via the 
password command) to continue operation with the storage 
device. 

Host systems that are password aware may look at this 
data field prior to attempting access, and determine whether 
the password is required to be issued to the drive. Preferably, 
this issuance will be accomplished via system prompt of the 
user. 

In a preferred embodiment, the password and a password 
enabling flag arc stored in the media 102 itself, along with 
the protected data, rather than with the control electronics. 
This provides an increased level of security because a 
sophisticated thief would be prevented from replacing the 
control electronics on the target device with those of a 
similar but unprotected device (or one with a known pass- 
word). In other words, if the password is part of the 
electronics instead of the media, the electronics can be 
switched to gain access to the media. The electronics and the 
media are easy to separate as a result of the manufacturing 
process. 

The controller firmware docs not allow user access to the 
password storage area of the media. Design verification 
testing should provide assurance that the user commands 
range check their parameters to prevent unintended access to 
this area (such as a negative array subscript). 

In order to deal with cases where the owner of the pc card 
100 loses the password a "backup" password may be 
assigned at the time of manufacture. This "override" pass- 
word would be indexed according to the device serial 
number and list maintained by the manufacturer. This pass- 
word would be printed in the written materials that come 
with the device, and instructions would include advice that 
the password be stored securely if the password is lost the 
owner would need only check these materials. 

What is claimed is: 

1. An information storage system, for use in a computer 
or other information processing system, said information 
storage system comprising: 
an information storage device for storing information 
including a read-only password and a read/write pass- 
word; 
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said storage system having selectable read-only and read/ 
write password protected modes of operation; 

when said read-only mode is selected, said storage system 
being unlocked to permit read-only access to said 
storage device in response to a match between an 5 
incoming password and a read-only password stored in 
said storage device; and 

when said read/write mode is selected, said storage sys- 
tem being unlocked to permit read/write access to said 
storage device in response to a match between an 10 
incoming password and a read/write password stored in 
said storage device; 

whereby, when one or more of said password protected 
modes have been selected, and in the event the infor- 
mation storage system is removed from the information 
processing system, access to the storage device will be 
locked until a password is sent to said storage system 
that matches one of said read-only or read/write pass- 
words stored in said storage device. 2Q 

2. The information storage system of claim 1, further 
comprising means for programming, the read-only and 
read/write passwords stored in said storage device. 

3. The information storage system of claim 1, further 
comprising a selectable unprotected mode of operation 25 
wherein access to said storage device is not password 
protected when said unprotected mode is selected. 

4. The information storage system of claim 1, further 
comprising: 

a selectable unprotected mode of operation wherein 30 
access to said storage device is not password protected 
when said unprotected mode is selected; and 

means for disabling said read-only and read/write pass- 
words, such that said unprotected mode is selected in 
response to both read-only and read/write passwords 35 
being disabled. 

5. The information storage system of claim 1, further 
comprising a backup password, wherein access to said 
storage device is enabled in response to a match between a 
received password and said backup password. 40 

6. A computer or other information processing system 
comprising a processor, a memory, a data input device, a 
data output device, and an information storage system for 
storing information including a read-only password and a 
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read/write password, said information storage system further 
comprising: 

read-only and read/write password protected modes of 
operation; wherein said storage system is unlocked in 
said read-only mode to permit read-only access to the 
information stored in said storage system in response to 
a match between an incoming password and a read- 
only password stored in said storage system; and 
wherein said storage system is unlocked in said read/ 
write mode to permit read/write access to said storage 
system in response to a match between an incomimg 
password and a read/write password stored in said 
storage system; whereby, when one or more of said 
password protected modes have been selected and 
when said storage system has been removed from said 
computer or other information processing system, 
access to the storage system is locked until a password 
is sent to said storage system that matches one of said 
read-only or read/write passwords stored in said storage 
system. 

7. The computer or other information processing system 
of claim 6, further comprising means for programming the 
read-only and read/write passwords stored in said storage 
system. 

8. The computer or other information processing system 
of claim 6, further comprising a selectable unprotected mode 
of operation wherein access to said storage system is not 
password protected when said unprotected mode is selected. 

9. The computer or other information processing system 
of claim 6, further comprising: 

a selectable unprotected mode of operation wherein 
access to said storage system is not password protected 
when said unprotected mode is selected; and 

means for disabling said read-only and read/write pass- 
words, such that said unprotected mode is selected in 
response to both read-only and read/write passwords 
being disabled. 

10. The computer or other information processing system 
of claim 6, further comprising a backup password, wherein 
access to said storage system is enabled in response to a 
match between a received password and said backup pass- 
word. 

* * * * * 
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